mirror of
https://github.com/super-linter/super-linter.git
synced 2024-12-22 07:12:11 -05:00
feat: checkov scans for helm charts (#5631)
This commit is contained in:
parent
88ea3923a7
commit
5b5d2f7ef0
8 changed files with 177 additions and 1 deletions
|
@ -12,6 +12,7 @@ FROM alpine/terragrunt:1.8.4 as terragrunt
|
|||
FROM dotenvlinter/dotenv-linter:3.3.0 as dotenv-linter
|
||||
FROM ghcr.io/terraform-linters/tflint:v0.51.1 as tflint
|
||||
FROM ghcr.io/yannh/kubeconform:v0.6.6 as kubeconfrm
|
||||
FROM alpine/helm:3.14.4 as helm
|
||||
FROM golang:1.22.3-alpine as golang
|
||||
FROM golangci/golangci-lint:v1.59.0 as golangci-lint
|
||||
FROM goreleaser/goreleaser:v1.26.2 as goreleaser
|
||||
|
@ -259,6 +260,11 @@ COPY dependencies/google-java-format /google-java-format
|
|||
RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \
|
||||
&& rm -rfv /install-google-java-format.sh /google-java-format
|
||||
|
||||
################
|
||||
# Install Helm #
|
||||
################
|
||||
COPY --from=helm /usr/bin/helm /usr/bin/
|
||||
|
||||
# Copy Node tools
|
||||
COPY --from=npm-builder /node_modules /node_modules
|
||||
|
||||
|
|
|
@ -160,6 +160,7 @@ control "super-linter-installed-commands" do
|
|||
{ linter_name: "goreleaser"},
|
||||
{ linter_name: "google-java-format", version_command: "java -jar /usr/bin/google-java-format --version"},
|
||||
{ linter_name: "hadolint"},
|
||||
{ linter_name: "helm", version_option: "version"}, # not used as linter, needed for checkov's helm framework
|
||||
{ linter_name: "htmlhint"},
|
||||
{ linter_name: "isort"},
|
||||
{ linter_name: "jscpd"},
|
||||
|
@ -510,7 +511,8 @@ control "super-linter-validate-files" do
|
|||
"/action/lib/.automation/.yaml-lint.yml",
|
||||
"/action/lib/.automation/phpcs.xml",
|
||||
"/action/lib/.automation/phpstan.neon",
|
||||
"/action/lib/.automation/psalm.xml"
|
||||
"/action/lib/.automation/psalm.xml",
|
||||
"/usr/bin/helm", # needed for checkov's helm framework
|
||||
]
|
||||
|
||||
files.each do |item|
|
||||
|
|
24
test/linters/checkov/bad/bad_chart/Chart.yaml
Normal file
24
test/linters/checkov/bad/bad_chart/Chart.yaml
Normal file
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v2
|
||||
name: bad_chart
|
||||
description: A Helm chart for Kubernetes
|
||||
|
||||
# A chart can be either an 'application' or a 'library' chart.
|
||||
#
|
||||
# Application charts are a collection of templates that can be packaged into versioned archives
|
||||
# to be deployed.
|
||||
#
|
||||
# Library charts provide useful utilities or functions for the chart developer. They're included as
|
||||
# a dependency of application charts to inject those utilities and functions into the rendering
|
||||
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
|
||||
type: application
|
||||
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.0
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
# follow Semantic Versioning. They should reflect the version the application is using.
|
||||
# It is recommended to use it with quotes.
|
||||
appVersion: "1.16.0"
|
31
test/linters/checkov/bad/bad_chart/templates/deployment.yaml
Normal file
31
test/linters/checkov/bad/bad_chart/templates/deployment.yaml
Normal file
|
@ -0,0 +1,31 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: test-deployment
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: test
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: test
|
||||
spec:
|
||||
serviceAccountName: {{ .Values.serviceAccount.name }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.service.port }}
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
14
test/linters/checkov/bad/bad_chart/values.yaml
Normal file
14
test/linters/checkov/bad/bad_chart/values.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
replicaCount: 1
|
||||
|
||||
image:
|
||||
repository: nginx
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
automount: true
|
||||
name: "test"
|
||||
|
||||
service:
|
||||
port: 80
|
24
test/linters/checkov/good/good_chart/Chart.yaml
Normal file
24
test/linters/checkov/good/good_chart/Chart.yaml
Normal file
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v2
|
||||
name: good_chart
|
||||
description: A Helm chart for Kubernetes
|
||||
|
||||
# A chart can be either an 'application' or a 'library' chart.
|
||||
#
|
||||
# Application charts are a collection of templates that can be packaged into versioned archives
|
||||
# to be deployed.
|
||||
#
|
||||
# Library charts provide useful utilities or functions for the chart developer. They're included as
|
||||
# a dependency of application charts to inject those utilities and functions into the rendering
|
||||
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
|
||||
type: application
|
||||
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.0
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
# follow Semantic Versioning. They should reflect the version the application is using.
|
||||
# It is recommended to use it with quotes.
|
||||
appVersion: "1.16.0"
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: test-deployment
|
||||
namespace: test
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: test
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: test
|
||||
spec:
|
||||
serviceAccountName: {{ .Values.serviceAccount.name }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@{{ .Values.image.digest }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.service.port }}
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
36
test/linters/checkov/good/good_chart/values.yaml
Normal file
36
test/linters/checkov/good/good_chart/values.yaml
Normal file
|
@ -0,0 +1,36 @@
|
|||
replicaCount: 1
|
||||
|
||||
image:
|
||||
repository: nginx
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
digest: "bXlzdXBlcnNlY3JldGhpZGRlbnN0cmluZwo"
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
automount: false
|
||||
name: "test"
|
||||
|
||||
podSecurityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10001
|
||||
|
||||
service:
|
||||
port: 80
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
Loading…
Reference in a new issue